Commit Graph

3367 Commits

Author SHA1 Message Date
Florian Roth
947925d81f
Merge pull request #1318 from rtkdmasse/azure-sysmon-image_load-generic
Update the azure image_load rule to be a generic sysmon rule
2021-01-09 10:29:52 +01:00
Florian Roth
04f7766d7a
Merge pull request #1319 from hieuttmmo/master
Detect Emotet DLL loading by looking rundll32.exe
2021-01-09 10:29:24 +01:00
Florian Roth
1a8bb9c991
Merge pull request #1327 from 2d4d/master
more AV event and suspicious commands
2021-01-09 10:28:30 +01:00
GlebSukhodolskiy
3f519ffa20
Just Check 2021-01-07 21:31:51 +03:00
Arnim Rupp
d5de3fe5f9 more AV event and suspicious commands
some of the AV events are duplicates to win_av_relevant_match.yml, should we clean that up or include the strings in both?
2021-01-07 17:54:19 +01:00
GlebSukhodolskiy
da5ec4e952
Update win_wmi_persistence.yml
Removed sequence of EIDs in Windows Security section.
2021-01-06 16:50:28 +03:00
yugoslavskiy
befcad2df7
Merge pull request #1234 from w0rk3r/oscd1
[OSCD] Update win_susp_replace_lolbin.yml
2021-01-06 00:32:55 +03:00
yugoslavskiy
6ebcb10abd
Merge pull request #1233 from V3T0/v3t0_oscd_lolbas_runonce_susp_execution
[OSCD] Added a rule to detect execution of runonce with suspicious parameters
2021-01-06 00:32:44 +03:00
yugoslavskiy
3bf1663503
Merge pull request #1232 from V3T0/v3t0_oscd_lolbas_tracker
[OSCD] Added a rule to detect the execution of tracker.exe with suspicious arguments
2021-01-06 00:32:35 +03:00
yugoslavskiy
e4c302bf6f
Merge pull request #1231 from vburov/patch-16
[OSCD] Detects LockerGoga Ransomware command line.
2021-01-06 00:30:08 +03:00
yugoslavskiy
2985836e36
Merge pull request #1140 from omkar72/oscd-5
[OSCD] adding shortened commands for Netsh in the existing rule
2021-01-06 00:24:43 +03:00
yugoslavskiy
d25ca9b280
Merge pull request #1229 from zinint/1009-19-1
[OSCD] Detects Obfuscated Powershell via COMPRESS OBFUSCATION #19 (4104, 4103 + Services + process_creation)
2021-01-06 00:24:08 +03:00
yugoslavskiy
7889df6644
Merge pull request #1227 from stvetro/oscd-runscripthelper
[OSCD] - Runscripthelper.exe runs script (LoLBin)
2021-01-06 00:24:00 +03:00
yugoslavskiy
0ed153237e
Merge pull request #1226 from stvetro/oscd-winword
[OSCD] - Force winword.exe to load DLL (LoLBin)
2021-01-06 00:23:52 +03:00
yugoslavskiy
1d2f027035
Merge pull request #1224 from stvetro/oscd
[OSCD] Verclsid.exe Runs COM Object (LOLBin)
2021-01-06 00:23:45 +03:00
yugoslavskiy
f4578b0698
Merge pull request #1223 from zinint/1009-23-1
[OSCD] Detects Obfuscated Powershell via RUNDLL Launcher #23 (4104, 4103 + Services + process_creation)
2021-01-06 00:23:33 +03:00
yugoslavskiy
23519e47cd
Merge pull request #1222 from feedb/oscd
[OSCD] zer0w
2021-01-06 00:23:25 +03:00
yugoslavskiy
93718975fb
Merge pull request #1221 from grikos/OSCD_117_128
[OSCD] suspicious csi.exe (rcsi.exe)  LOLBAS detection rule
2021-01-06 00:23:13 +03:00
yugoslavskiy
cd62929bb0
Merge pull request #1220 from aw350m33d/PS_exec_via_redirected_input_stream
[OSCD] LOLBIN 5 PowerShell with redirection of the input stream.
2021-01-06 00:23:06 +03:00
yugoslavskiy
70eff4b1fc
Merge pull request #1219 from ryanplasma/rplas-SIGMA-547-page-37
[OSCD] Add Files Dropped to Program Files by Non-Priviledged Process Rule
2021-01-06 00:22:57 +03:00
yugoslavskiy
a5bbccf16c
Merge pull request #1214 from tas-kmanager/mt-oscd-sigma547-48-alternative
[OSCD] Always Install Elevated Alternative
2021-01-06 00:22:37 +03:00
yugoslavskiy
066be03c19
Merge pull request #1212 from aleqs4ndr/oscd-2020
[OSCD] Added a rule to detect possible Zerologon exploitation
2021-01-06 00:21:12 +03:00
yugoslavskiy
29fe6e46d8
Merge pull request #1211 from zipa-original/win_persistence_telemetry
[OSCD] Added a rule to detect abusing windows telemetry for persistence
2021-01-06 00:20:51 +03:00
yugoslavskiy
c71e0ae0ea
Merge pull request #1209 from vburov/patch-15
[OSCD] Create win_susp_multiple_files_renamed_or_deleted.yml
2021-01-06 00:19:41 +03:00
yugoslavskiy
38661bbc10
Merge pull request #1208 from NikitaStormwind/RTT(17)
[OSCD] Atomic Red Team: Detected Windows Software Discovery (T1518)
2021-01-06 00:19:20 +03:00
yugoslavskiy
2cf1994763
Merge pull request #1206 from w0rk3r/oscd5
[OSCD] Windows - Suspicious Service DACL Modification
2021-01-06 00:18:53 +03:00
yugoslavskiy
aad2838f58
Merge pull request #1198 from tas-kmanager/mt-oscd-sigma547-50-rule2
[OSCD] Always Install Elevated - Slide 50 - Rule 2
2021-01-06 00:18:44 +03:00
yugoslavskiy
0b7babaa84
Merge pull request #1196 from tas-kmanager/mt-oscd-sigma547-50-rule1
[OSCD] Always Install Elevated - Slide 50 - Rule 1
2021-01-06 00:18:26 +03:00
yugoslavskiy
fc1fa23440
Merge pull request #1191 from vburov/patch-14
[OSCD] Create powershell_cmdline_special_characters.yml
2021-01-06 00:18:12 +03:00
yugoslavskiy
8e50eeb4a9
Merge pull request #1187 from nsaddler/lolbas108
[OSCD] LOLBAS Manage-bde.yml
2021-01-06 00:18:02 +03:00
yugoslavskiy
cfbd10ab8b
Merge pull request #1186 from nsaddler/lolbas107_2
[OSCD] LOLBAS CL_Mutexverifiers - powershell
2021-01-06 00:17:54 +03:00
yugoslavskiy
e91d48cc93
Merge pull request #1185 from nsaddler/lolbas107_1
[OSCD] LOLBAS CL_Mutexverifiers - process_creation
2021-01-06 00:17:46 +03:00
yugoslavskiy
9d1c695204
Merge pull request #1184 from nsaddler/lolbas106_1
[OSCD] LOLBAS CL_Invocation - powershell
2021-01-06 00:17:10 +03:00
yugoslavskiy
def4a7dbb9
Merge pull request #1183 from nsaddler/lolbas106
[OSCD] LOLBAS CL_Invocation - process_creation
2021-01-06 00:17:01 +03:00
yugoslavskiy
6f2e8c56b2
Merge pull request #1182 from nsaddler/lolbas80
[OSCD] LOLBAS wab.yml
2021-01-06 00:16:53 +03:00
yugoslavskiy
e1fd69f548
Merge pull request #1179 from SanWieb/OSCD_regedit_3
[OSCD] regedit.exe LOLbas 72 [3]
2021-01-06 00:16:45 +03:00
yugoslavskiy
8e6b77fc4f
Merge pull request #1177 from OpalSec/oscd
[OSCD] Tasks 24, 25 & 26: Detection for Invoke-Obfuscation CLIP+, STDIN+ & VAR+ Launchers
2021-01-06 00:16:34 +03:00
yugoslavskiy
95d8a9daf0
Merge pull request #1174 from uncleAntik/update
[OSCD] LOLBin vsjitdebugger.exe #136
2021-01-06 00:16:20 +03:00
yugoslavskiy
252345ca00
Merge pull request #1173 from uncleAntik/fix
[OSCD] LOLBin te.exe #133
2021-01-06 00:16:12 +03:00
yugoslavskiy
1fd0afc58e
Merge pull request #1167 from tas-kmanager/mt-oscd-sigma547-43
[OSCD] Add Accesschk tool usage rule
2021-01-06 00:14:08 +03:00
yugoslavskiy
5ade9208d5
Merge pull request #1166 from drdoc/oscd
[OSCD] Possible Zerologon (CVE-2020-1472) exploitation using well-known tools
2021-01-06 00:12:34 +03:00
yugoslavskiy
5ec4e42569
Merge pull request #1165 from w0rk3r/oscd3
[OSCD] Updated win_etw_trace_evasion - Added new detections, Removed reference to deprecated rule and changed selections
2021-01-06 00:12:22 +03:00
yugoslavskiy
46eb01f3c5
Merge pull request #1164 from GlebSukhodolskiy/oscd_reg
[OSCD] Modified Rule "Autorun Keys Modification"
2021-01-06 00:11:58 +03:00
yugoslavskiy
4c8e0b201d
Merge pull request #1162 from uncleAntik/131
[OSCD] LOLBin sqltoolsps.exe #131
2021-01-06 00:11:33 +03:00
yugoslavskiy
b56a7181ce
Merge pull request #1157 from invrep-de/oscd
[OSCD] Bad Opsec Powershell Artifacts
2021-01-06 00:11:24 +03:00
yugoslavskiy
319ebd158c
Merge pull request #1155 from sn0w0tter/oscd2
[OSCD] LOLBAS atbroker suspicious creation of ATs
2021-01-06 00:11:13 +03:00
yugoslavskiy
d2087c276c
Merge pull request #1151 from zinint/1009-27-2
[OSCD] Detects Obfuscated Powershell via VAR++ Launcher #27 (Services)
2021-01-06 00:10:55 +03:00
yugoslavskiy
0bd955f097
Merge branch 'oscd' into oscd-5 2021-01-06 00:09:47 +03:00
yugoslavskiy
1f0d081c01
Merge pull request #1144 from NikitaStormwind/regular28(3)
[OSCD] Detects Obfuscated Powershell via Stdin in Scripts #28 (Services)
2021-01-05 23:23:00 +03:00
yugoslavskiy
1cfc0d17ef
Merge pull request #1141 from omkar72/oscd-6
[OSCD] suspicious clr logs creation
2021-01-05 23:22:36 +03:00
yugoslavskiy
82e5d031b0
Merge pull request #1139 from omkar72/oscd-4
[OSCD] script applications loading .net dll
2021-01-05 23:17:25 +03:00
yugoslavskiy
a82c559816
Merge pull request #1130 from vburov/patch-13
[OSCD] Create powershell_cmdline_specific_encoded_methods.yml
2021-01-05 23:16:24 +03:00
yugoslavskiy
dd7a95ac74
Merge pull request #1081 from cy1337/patch-1
[OSCD] Added nltest LOLBIN
2021-01-05 23:16:14 +03:00
yugoslavskiy
f2c6011c6b
Merge pull request #1126 from skirankumar/master
[OSCD]Sysmon_silenttrinity_stager_msbuild_activity.yml
2021-01-05 23:14:20 +03:00
yugoslavskiy
1c1c38e091
Merge pull request #1119 from uncleAntik/oscd
[OSCD] sqlps.exe LOLbin
2021-01-05 23:14:02 +03:00
yugoslavskiy
07ac09f9aa
Merge pull request #1114 from NikitaStormwind/regular29(3)
[OSCD] Detects Obfuscated Powershell via use Clip.exe in Scripts #29 (Services)
2021-01-05 23:13:48 +03:00
yugoslavskiy
220a4873c7
Merge pull request #1109 from NikitaStormwind/regular31(3)
[OSCD] Detects Obfuscated Powershell via use MSHTA in Scripts #31 (Services)
2021-01-05 23:13:38 +03:00
yugoslavskiy
9803dc8baa
Merge pull request #1108 from NikitaStormwind/regular30(3)
[OSCD] Detects Obfuscated Powershell via use Rundll32 in Scripts #30 (Services)
2021-01-05 23:13:27 +03:00
yugoslavskiy
39991a8ab6
Merge pull request #1106 from stvetro/2020
[OSCD] Suspicious ftp.exe usage (LOLBin)
2021-01-05 23:13:03 +03:00
yugoslavskiy
804db42b7a
Merge pull request #1105 from Vasilisa-L/OSCD_rasautou
[OSCD] Rasautou.exe LOLbin
2021-01-05 23:12:48 +03:00
yugoslavskiy
794cd7aaeb
Merge pull request #1104 from Vasilisa-L/OSCD_rpcping
[OSCD] rpcping lolbin
2021-01-05 23:12:35 +03:00
yugoslavskiy
05b03afddb
Merge pull request #1103 from concorde18/oscd_win_susp_diskshadow
[OSCD] win_susp_diskshadow
2021-01-05 23:10:55 +03:00
yugoslavskiy
d48bac226f
Merge pull request #1099 from NikitaStormwind/regular31(2)
[OSCD] Detects Obfuscated Powershell via use MSHTA in Scripts #31 (process_creation)
2021-01-05 23:10:46 +03:00
yugoslavskiy
32aea9ad2b
Merge pull request #1098 from NikitaStormwind/regular31
[OSCD] Detects Obfuscated Powershell via use MSHTA in Scripts #31 (4104, 4103)
2021-01-05 23:10:28 +03:00
yugoslavskiy
ae3c0d0801
Merge pull request #1095 from esebese/task136
[OSCD]win_pe_exec_vsjitdebugger.yml added
2021-01-05 23:10:18 +03:00
yugoslavskiy
aa9182593a
Merge pull request #1087 from Vasilisa-L/OSCD_pester.bat
[OSCD] 109: Pester.bat
2021-01-05 23:09:47 +03:00
yugoslavskiy
1992b1ac9f
Merge pull request #1074 from semanurguneysu/oscd
[OSCD] Create sysmon_abusing_debug_privilege.yml
2021-01-05 23:06:57 +03:00
yugoslavskiy
b5c78212ad
Merge pull request #1076 from nsaddler/oscd5
[OSCD] Powershell without powershell.exe Rule Added
2021-01-05 23:06:37 +03:00
yugoslavskiy
c7e9522f29
Merge pull request #1077 from uchakin/oscd
[OSCD] UAC bypass added
2021-01-05 23:06:24 +03:00
yugoslavskiy
ff373b0f33
Update win_nltest_query.yml 2021-01-05 23:03:41 +03:00
yugoslavskiy
bceb3c8af0
Merge pull request #1047 from grikos/sigma/oscd
[OSCD] Registry modify via VBoxDrvInst
2021-01-05 23:00:20 +03:00
yugoslavskiy
87e5e5a7fc
Merge pull request #1069 from nsaddler/oscd3
[OSCD] Powershell Script Installed as a Service Rule added
2021-01-05 22:58:21 +03:00
Florian Roth
40e0e3bc99
Merge pull request #1193 from w0rk3r/oscd_rules_improvement
[OSCD] Windows Rules - Review for improvements on selections and logic
2020-12-31 12:10:15 +01:00
Florian Roth
ab408750ac
Merge pull request #1314 from Neo23x0/rule-devel
rule: Lazarus activity
2020-12-30 13:27:38 +01:00
Florian Roth
9ecaeb715f
Merge pull request #1317 from rtkdmasse/fix-missing-product-mouse-lock
Fix missing product mouse lock
2020-12-30 13:27:20 +01:00
ZikyHD
8a6b182fee
Update win_susp_adfind.yml 2020-12-29 14:41:46 +01:00
ZikyHD
ece829bb25
Update win_susp_adfind.yml
Typo on field name
2020-12-29 14:40:36 +01:00
Florian Roth
43033ab874
Update win_susp_emotet_rudll32_execution.yml 2020-12-25 09:05:55 +01:00
Tran Trung Hieu
d551b88d5c Edit title convention 2020-12-25 14:21:26 +07:00
Tran Trung Hieu
4297e68704 Detect Emotet DLL loading by looking rundll32.exe 2020-12-25 14:09:40 +07:00
Daniel Masse
fedda17231 Update the azure image_load rule to be a generic sysmon rule 2020-12-23 16:29:49 -05:00
Daniel Masse
bf539fd1fe Revert "Fix bug changing the logsource service to category"
This reverts commit 0f51e53d0e.
2020-12-23 15:50:49 -05:00
Daniel Masse
71ea5c7437 Add missing product in logsource 2020-12-23 15:45:00 -05:00
Daniel Masse
0f51e53d0e Fix bug changing the logsource service to category 2020-12-23 15:12:31 -05:00
Daniel Masse
e4c052154d Remove unneeded file 2020-12-23 14:30:24 -05:00
Daniel Masse
d2edf715f2 Split up cmstp rule into 3 separate rules and remove duplicates 2020-12-23 12:17:39 -05:00
Florian Roth
dedc34e91a fix: typos and description 2020-12-23 14:46:08 +01:00
Florian Roth
cdc29dfbe8 rule: Lazarus activity 2020-12-23 14:43:32 +01:00
Florian Roth
821af35557
Merge pull request #1313 from Neo23x0/rule-devel
Rule devel
2020-12-23 13:57:11 +01:00
Florian Roth
7286d01f78 fix: typo in rule 2020-12-23 13:26:44 +01:00
Florian Roth
80aa398392 rule: Lazarus group loaders 2020-12-23 13:25:16 +01:00
Florian Roth
c3f891beab
Merge pull request #1286 from V3T0/v3t0_oscd_lolbas_runonce_susp_persistence_
[OSCD] Added a rule to detect potential persistence using registry keys
2020-12-21 18:33:17 +01:00
Florian Roth
133b98ffcb
Merge pull request #1262 from invrep-de/oscd
[OSCD] Bad Opsec Sacrificial Processes Argument Discrepancy
2020-12-21 18:30:21 +01:00
Florian Roth
f20f346a6a
Merge pull request #1264 from omkar72/sdev-1
Adding 2 rules - Conhost & office test registry persistence
2020-12-21 18:28:59 +01:00
Florian Roth
e78d7e6aee
Merge pull request #1296 from mat-gas/fix-references
fix "references" field + add test for references in plural form
2020-12-21 18:25:35 +01:00
Florian Roth
377454cb31
Merge pull request #1299 from tjgeorgen/patch-1
ATT&CK subtechnique tag updates
2020-12-21 18:24:00 +01:00
Florian Roth
35ab80b39e
Merge pull request #1306 from d4rk-d4nph3/master
Added rule for Impacket's PsExec execution
2020-12-21 18:23:41 +01:00
Bhabesh Rai
0a7e95954e Fix for fail build 2020-12-14 12:55:08 +05:45
Bhabesh Rai
63fb31882e Added rule for Impacket's PsExec execution 2020-12-14 12:48:26 +05:45
Florian Roth
1b0aaf62c3
Merge pull request #1266 from omkar72/ryuk
modifying couple of rules
2020-12-13 19:05:54 +01:00
Florian Roth
e2ade077ed
Merge pull request #1275 from bczyz1/patch-3
update win_apt_slingshot.yml
2020-12-13 19:04:47 +01:00
Florian Roth
612008a4d8
fix identation 2020-12-11 18:40:17 +01:00
Tran Trung Hieu
edc79a8bb6 Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection 2020-12-11 15:17:23 +07:00
Florian Roth
b6d62b7a21
Merge pull request #1302 from Neo23x0/rule-devel
TA505 Dropper, minor fix in PowerShell Rule
2020-12-08 10:40:07 +01:00
Florian Roth
640470cefd TA505 Loader Rule 2020-12-08 10:15:30 +01:00
Florian Roth
540039cbc3 fix: Malicious Nishang PowerShell Commandlets FP with MDATP 2020-12-05 09:33:42 +01:00
tjgeorgen
1c6c3a36fe
include updated RDP att&ck tag 2020-12-04 11:59:23 -05:00
tjgeorgen
0eda1ab462
also update tag for folder variant 2020-12-04 11:42:05 -05:00
tjgeorgen
5208bdd65a
add new version of ATT&CK T1500 tag 2020-12-04 11:19:16 -05:00
yugoslavskiy
a028cdf1ee
Update powershell_shellcode_b64.yml 2020-12-01 02:24:35 +01:00
yugoslavskiy
7309fb7d0e
Update powershell_winlogon_helper_dll.yml 2020-12-01 02:23:02 +01:00
yugoslavskiy
36754ae3d5
Update win_vul_cve_2020_0688.yml 2020-12-01 02:16:22 +01:00
yugoslavskiy
0188e45925
Update win_malware_script_dropper.yml 2020-12-01 02:12:53 +01:00
yugoslavskiy
30ecc8bd26
Update win_malware_script_dropper.yml 2020-12-01 02:08:52 +01:00
yugoslavskiy
6494103839
Update win_susp_powershell_enc_cmd.yml 2020-12-01 01:54:51 +01:00
yugoslavskiy
d1b625d080
Update win_susp_powershell_enc_cmd.yml 2020-12-01 01:51:47 +01:00
yugoslavskiy
3cbc2f0aec
Update win_susp_powershell_enc_cmd.yml 2020-12-01 01:47:23 +01:00
yugoslavskiy
816ce5937c
Update win_susp_crackmapexec_execution.yml 2020-12-01 01:29:35 +01:00
Vasiliy Burov
cf8d195c5c
Update win_susp_multiple_files_renamed_or_deleted.yml 2020-11-30 11:49:42 +03:00
yugoslavskiy
56f94a19f7
Update win_regedit_export_keys.yml 2020-11-30 02:08:54 +01:00
yugoslavskiy
0414d7a498
Merge branch 'oscd' into master 2020-11-30 02:04:03 +01:00
Yugoslavskiy Daniil
d812a3e08e resolve conflict restoring rule win_susp_replace_lolbin.yml 2020-11-30 01:09:24 +01:00
Yugoslavskiy Daniil
98617609d6 Merge branch 'oscd' into HEAD 2020-11-30 01:07:26 +01:00
Yugoslavskiy Daniil
50623544a2 remove possible duplicate filter 2020-11-29 22:03:19 +01:00
OG
70fb078a56
Update sysmon_office_test_regadd.yml 2020-11-29 18:02:37 +05:30
OG
8e801ede32
Update win_susp_psexec_eula.yml 2020-11-29 17:45:29 +05:30
Jonhnathan
a9fde0117b
Merge branch 'oscd' into oscd_rules_improvement 2020-11-28 14:52:31 -03:00
yugoslavskiy
7dc5233dd9
Update win_susp_commands_recon_activity.yml 2020-11-28 18:43:04 +01:00
yugoslavskiy
5196926d60
Update sysmon_stickykey_like_backdoor.yml 2020-11-28 18:33:21 +01:00
yugoslavskiy
39c2258848
Update sysmon_registry_persistence_search_order.yml 2020-11-28 18:30:41 +01:00
yugoslavskiy
9f8ef95571
Update win_webshell_detection.yml 2020-11-28 18:25:09 +01:00
yugoslavskiy
c761d05a17
Update win_system_exe_anomaly.yml 2020-11-28 18:03:19 +01:00
yugoslavskiy
258334d6d1
Update win_susp_wmi_execution.yml 2020-11-28 18:01:06 +01:00
Jonhnathan
95eb7424aa
Update sysmon_susp_run_key_img_folder.yml 2020-11-28 13:54:59 -03:00
Jonhnathan
f504ccc33f
Update sysmon_susp_reg_persist_explorer_run.yml 2020-11-28 13:52:36 -03:00
Jonhnathan
986800056c
Update sysmon_stickykey_like_backdoor.yml 2020-11-28 13:50:13 -03:00
yugoslavskiy
c0c74a05df
Update win_susp_sysvol_access.yml 2020-11-28 17:49:21 +01:00
Jonhnathan
ef34c94e6a
Update sysmon_registry_persistence_search_order.yml 2020-11-28 13:49:18 -03:00
yugoslavskiy
3c75bc922a
Update win_susp_squirrel_lolbin.yml 2020-11-28 17:47:16 +01:00
Jonhnathan
06cc5049a4
Update sysmon_dns_serverlevelplugindll.yml 2020-11-28 13:46:02 -03:00
yugoslavskiy
42f27a41cb
Update win_susp_rundll32_by_ordinal.yml 2020-11-28 17:44:30 +01:00
yugoslavskiy
ca0a6547fb
Update win_susp_run_locations.yml 2020-11-28 17:42:47 +01:00
Jonhnathan
f1455e0c38
Update win_win10_sched_task_0day.yml 2020-11-28 13:42:30 -03:00
Jonhnathan
fe3ed329ef
Update win_webshell_recon_detection.yml 2020-11-28 13:41:11 -03:00
yugoslavskiy
ea550cf551
Update win_susp_regsvr32_anomalies.yml 2020-11-28 17:40:40 +01:00
Jonhnathan
f0bf3d13b5
Update win_webshell_detection.yml 2020-11-28 13:38:34 -03:00
Jonhnathan
9f4bbb7e65
Update win_webshell_detection.yml 2020-11-28 13:35:50 -03:00
yugoslavskiy
bcf62fba72
Update win_susp_ps_appdata.yml 2020-11-28 17:34:34 +01:00
yugoslavskiy
2ed4b26291
Update win_susp_procdump.yml 2020-11-28 17:33:02 +01:00
Jonhnathan
0d0f58c830
Update win_system_exe_anomaly.yml 2020-11-28 13:32:44 -03:00
yugoslavskiy
a3e436363e
Update win_susp_powershell_parent_combo.yml 2020-11-28 17:31:37 +01:00
Jonhnathan
c9b5ba10f8
Update win_susp_wmi_execution.yml 2020-11-28 13:30:34 -03:00
yugoslavskiy
c01c05b826
Update win_susp_powershell_enc_cmd.yml 2020-11-28 17:29:15 +01:00
Jonhnathan
f6117eebc7
Update win_susp_sysvol_access.yml 2020-11-28 13:27:28 -03:00
Jonhnathan
88b4d4c4e5
Update win_susp_sysvol_access.yml 2020-11-28 13:26:22 -03:00
yugoslavskiy
66a504078b
Update win_susp_ping_hex_ip.yml 2020-11-28 17:25:52 +01:00
Jonhnathan
7aa831eac3
Remove additional backslash 2020-11-28 13:25:28 -03:00
Jonhnathan
0357472635
Update win_susp_squirrel_lolbin.yml 2020-11-28 13:24:38 -03:00
Jonhnathan
f70bd415a3
Update win_susp_run_locations.yml 2020-11-28 13:21:04 -03:00
Jonhnathan
5cbefe3737
Update win_susp_regsvr32_anomalies.yml 2020-11-28 13:18:38 -03:00
Jonhnathan
e99f63f811
Update win_susp_ps_appdata.yml 2020-11-28 13:15:24 -03:00
Jonhnathan
fc842c22b2
Update win_susp_prog_location_process_starts.yml 2020-11-28 13:11:15 -03:00
Jonhnathan
a78eb61d92
Remove additional backslash 2020-11-28 13:08:51 -03:00
Jonhnathan
27f47a8ffc
Update win_susp_procdump.yml 2020-11-28 13:08:21 -03:00
Jonhnathan
b61707e7f3
Remove additional backslash 2020-11-28 13:07:06 -03:00
Jonhnathan
c9461506f2
Update win_susp_powershell_enc_cmd.yml 2020-11-28 13:06:10 -03:00
Jonhnathan
2364e9870d
Update win_susp_powershell_enc_cmd.yml 2020-11-28 13:05:47 -03:00
Jonhnathan
f4f8174199
Update win_susp_powershell_enc_cmd.yml 2020-11-28 13:04:36 -03:00
Jonhnathan
53e1201bea
Update win_susp_ping_hex_ip.yml 2020-11-28 13:01:42 -03:00
Jonhnathan
b24945999e
Update win_susp_ping_hex_ip.yml 2020-11-28 13:01:24 -03:00
Jonhnathan
1c56dc463a
Remove additional backslash 2020-11-28 12:38:19 -03:00
Jonhnathan
198bdb9659
Remove Additional backslash 2020-11-28 12:34:06 -03:00
Jonhnathan
63adc6fc09
Update win_susp_direct_asep_reg_keys_modification.yml 2020-11-28 12:32:35 -03:00
Jonhnathan
3481b0dd9e
Update win_susp_curl_start_combo.yml 2020-11-28 12:31:55 -03:00
yugoslavskiy
245a0d3438
Update win_susp_outlook.yml 2020-11-28 13:34:57 +01:00
yugoslavskiy
36299f5139
Update win_susp_net_execution.yml 2020-11-28 13:33:30 +01:00
yugoslavskiy
501791945f
Update win_susp_msiexec_web_install.yml 2020-11-28 13:32:01 +01:00
yugoslavskiy
8293fd8e5b
Update win_susp_iss_module_install.yml 2020-11-28 13:30:27 +01:00
yugoslavskiy
1896a45572
Update win_susp_ntdsutil.yml 2020-11-28 13:28:00 +01:00
Jonhnathan
4411fc5b0e
Update win_susp_commands_recon_activity.yml 2020-11-28 09:14:56 -03:00
Jonhnathan
2bf4644b48
Update win_renamed_paexec.yml 2020-11-28 09:08:48 -03:00
Jonhnathan
4e59fc0dfd
Update win_renamed_binary_highly_relevant.yml 2020-11-28 09:08:09 -03:00
yugoslavskiy
4354303174
Update win_susp_execution_path.yml 2020-11-28 13:07:22 +01:00
yugoslavskiy
77cf5d2563
Update win_susp_exec_folder.yml 2020-11-28 13:04:05 +01:00
yugoslavskiy
201377fa29
Update win_susp_csc_folder.yml 2020-11-28 13:01:03 +01:00
yugoslavskiy
c4a35036a0
Update win_susp_csc.yml 2020-11-28 12:54:18 +01:00
yugoslavskiy
5d7f42a4a6
Update win_susp_crackmapexec_execution.yml 2020-11-28 12:53:00 +01:00
yugoslavskiy
38e7853891
Update win_susp_copy_lateral_movement.yml 2020-11-28 12:44:54 +01:00
yugoslavskiy
34e64a6570
Update win_susp_codepage_switch.yml 2020-11-28 12:42:27 +01:00
yugoslavskiy
5278fcd476
Update win_susp_cmd_http_appdata.yml 2020-11-28 12:34:28 +01:00
yugoslavskiy
fd102c1b5f
Update win_susp_certutil_encode.yml 2020-11-28 12:31:40 +01:00
yugoslavskiy
68365f29c2
Update win_susp_certutil_command.yml 2020-11-28 12:29:30 +01:00
yugoslavskiy
c9596d7e30
Update win_susp_adfind.yml 2020-11-28 12:11:53 +01:00
yugoslavskiy
331a177f69
Update win_proc_wrong_parent.yml 2020-11-28 12:10:37 +01:00
yugoslavskiy
dbb054777a
Update win_plugx_susp_exe_locations.yml 2020-11-28 12:02:16 +01:00
yugoslavskiy
0fdd8e7128
Update win_netsh_port_fwd_3389.yml 2020-11-28 11:32:35 +01:00
yugoslavskiy
5d457f4f79
Update win_netsh_port_fwd.yml 2020-11-28 11:31:27 +01:00
yugoslavskiy
78193d3e3a
Update win_mal_adwind.yml 2020-11-28 11:25:28 +01:00
yugoslavskiy
de41e34d53
Update win_apt_sofacy.yml 2020-11-28 11:21:23 +01:00
yugoslavskiy
fe499d8838
Update win_apt_judgement_panda_gtr19.yml 2020-11-28 11:14:23 +01:00